How do I prevent a User to deploy to a specific Org (eg Production)

To prevent a Copado user to Deploy to an environment, eg Production, this is how you do it.

1. Make sure that this user has no access to a sys admin user in Production, regardless of Copado.

2. Make sure that custom object Org credential is set to private (this is by default)

3. Using standard salesforce security, the user will not have visibility for any record that he doesn't own.

4. Make sure that custom object Deployment is set to private (this is by default) 5. Using standard salesforce security, the user will not have visibility of any record that he doesn't own.

An extra security, if necessary can be achieved with validation rules, so that if a "Destination Org" record is created for a Production Org and the running user is not X, then show error "you can't deploy to production". This will prevent adding Production as a destination org to a deployment unless you are X.